China-Aligned APT Group Exploits Windows Group Policy for Stealthy Malware Deployment
A sophisticated cyberespionage campaign has been uncovered, targeting governmental entities across Southeast Asia and Japan. This operation is attributed to a newly identified China-aligned advanced persistent threat (APT) group, dubbed LongNosedGoblin. Active since at least September 2023, LongNosedGoblin employs a diverse array of custom C#/.NET malware families, focusing primarily on intelligence gathering. Their operations are characterized by stealthy techniques designed to infiltrate sensitive networks and maintain prolonged, undetected access.
Exploitation of Windows Group Policy
A hallmark of LongNosedGoblin’s strategy is the exploitation of Windows Group Policy for lateral movement and malware deployment. By compromising the Active Directory infrastructure, the attackers can distribute malicious payloads across networked machines, effectively circumventing traditional perimeter defenses. This method enables the propagation of tools like NosyHistorian, which harvests browser history to identify high-value targets for further exploitation.
Analysts from Welivesecurity identified this malware in early 2024 within a Southeast Asian government network, where multiple machines were compromised simultaneously via Group Policy updates. Investigations revealed that the attackers disguised their malware as legitimate policy files, such as History.ini or Registry.pol, to blend into the Group Policy cache directories. This strategic camouflage underscores the group’s emphasis on evasion and persistence within compromised environments.
NosyDoor Execution Mechanism
The group’s primary backdoor, NosyDoor, exemplifies their reliance on living-off-the-land techniques and cloud-based command and control infrastructure. The malware operates through a complex three-stage execution chain designed to evade detection by standard security products.
The infection begins with a dropper component that decrypts embedded payloads using the Data Encryption Standard (DES) with the key UevAppMo. This dropper utilizes execution guardrails to ensure the malware only detonates on specific victim machines. Once validated, it establishes persistence by creating a scheduled task that executes a legitimate Windows binary, UevAppMonitor.exe, which the malware copies from System32 to the .NET framework directory.
The core of the evasion strategy lies in AppDomainManager injection. The attackers modify the configuration of the legitimate executable to load a malicious DLL. This configuration file directs the application to initialize a custom domain from SharedReg.dll. This DLL bypasses the Antimalware Scan Interface (AMSI) and decrypts the final NosyDoor payload.
The backdoor then retrieves its configuration and initiates communication with Microsoft OneDrive using RSA-encrypted metadata to receive commands stored in task files.
Implications and Recommendations
The discovery of LongNosedGoblin’s activities highlights the evolving tactics of state-sponsored cyber actors. By leveraging legitimate system management tools like Windows Group Policy, these attackers can achieve widespread distribution of malware while minimizing detection. This approach underscores the need for organizations to implement robust monitoring of Group Policy changes and to scrutinize the integrity of policy files regularly.
To mitigate such threats, organizations should:
1. Monitor Group Policy Changes: Implement logging and alerting mechanisms to detect unauthorized modifications to Group Policy Objects (GPOs).
2. Validate Policy Files: Regularly verify the authenticity and integrity of policy files within the Group Policy cache directories.
3. Enhance Endpoint Detection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating living-off-the-land techniques.
4. Conduct Regular Audits: Perform periodic security audits to identify and remediate potential vulnerabilities within the Active Directory infrastructure.
5. Educate Personnel: Train IT staff on the latest cyber threats and the importance of maintaining strict controls over system management tools.
By adopting these measures, organizations can strengthen their defenses against sophisticated cyberespionage campaigns and protect sensitive information from unauthorized access.
